-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preliminary token revocation support #7
Open
dokai
wants to merge
1
commit into
tilgovi:master
Choose a base branch
from
dokai:token-revocation
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think the revocation handler has to know about response types. It needs to validate the revocation request (the base class implementation of
oauth2.RevocationEndpoint.validate_revocation_requestshould handle that).What's confusing is that I the revocation endpoint is the only endpoint that needs to know about the
RequestValidatordirectly. The rest of the endpoints all delegate to token, response, and grant types, which may use the validator. These built in handlers all take arequest_validatorkeyword to their constructor.Since pyramid-oauthlib creates exactly one
Serverinstance when it's included and cannot know what implementation ofRequestValidatoris needed, what do you think of a directive likeconfig.set_request_validator(). You must call it before you register any of the handlers and whatever you pass will be given implicitly as an extra keyword argument to all of their constructors.It means that, while the OAuthLib servers are usually configured to have one class be both a grant type and response type handler, we would actually probably instantiate the grant type twice (once in each role). I don't think that's a problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The revocation endpoint does seem like the odd man out here. If we have
config.set_request_validatordefine a default request validator, would the methods (e.g.config.add_grant_type) currently accepting arequest_validatorparameter still accept one as an override or would it go away? I don't see it such a problem if it goes away but it does change how it is now where you can provide a different request validator for each call.Would the parameter for
config.set_request_validatoraccept both a python import path to a callable producing the validator and a direct object reference to one?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm don't know that I see a use case for different request validators, but maybe there is one. If there is such a use case, one clear response is to just require the user to make some subclass mixing in the various request validator pieces they need so they can create one composite validator.
Definitely. All the directives accept dotted string references.